Microsoft Teams Security: 9 Additional Hunting Queries for Advanced Threat Detection

What Changed

Nine additional hunting queries added for Microsoft Teams security monitoring, expanding detection coverage beyond the previous 7 queries.

Detection Surface Unlocked

New hunting capabilities include:

Partner impersonation detection in external Teams messages
Admin submission tracking for malware/phishing trends
OpenPhish URL correlation with Teams messages
External sender profiling and phishing message identification
Malicious URL detection method analysis

Query Logic

Primary data sources: CloudAppEvents, MessageEvents, ThreatIntelligenceIndicator

Partner impersonation detection analyzes sender domain patterns against known partners
Admin submission queries track malware/phish/no-threat verdicts over time
OpenPhish integration correlates external threat feeds with Teams URLs
External sender analysis identifies top phishing sources and message patterns

MITRE Mapping

T1566 - Phishing

Affected Files

Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/ (9 files)
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/ (9 files)

What Changed#

Detection Surface Unlocked#

Query Logic#

MITRE Mapping#

Affected Files#

What Changed

Detection Surface Unlocked

Query Logic

MITRE Mapping

Affected Files